https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/ Updates from Threat Analysis Group (TAG) 0-days exploited by commercial surveillance vendor in Egypt Share Twitter Facebook LinkedIn Mail Copy link [https://blog.google/] [ ] * Press corner * RSS feed Threat Analysis Group 0-days exploited by commercial surveillance vendor in Egypt Sep 22, 2023 min read Share Twitter Facebook LinkedIn Mail Copy link [https://blog.google/] Maddie Stone Threat Analysis Group Share Twitter Facebook LinkedIn Mail Copy link [https://blog.google/] --------------------------------------------------------------------- --------------------------------------------------------------------- Last week Google's Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device. In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible. Exploit delivery via man-in-the-middle (MITM) The Intellexa exploit chain was delivered via a "man-in-the-middle" (MITM) attack, where an attacker is in between the target and the website they're trying to reach. If the target is going to a website using 'http', then the attacker can intercept the traffic and send fake data back to the target to force them to a different website. Visiting a website using 'https' means that the traffic is encrypted, and it is easily verifiable that the received data came from the intended website using their certificate. That is not the case when using 'http'. In the case of this campaign, if the target went to any 'http' site, the attackers injected traffic to silently redirect them to an Intellexa site, c.betly[.]me. If the user was the expected targeted user, the site would then redirect the target to the exploit server, sec-flare[.]com. While there's a spotlight on "0-click" vulnerabilities (bugs that don't require user interaction) this MITM delivery also didn't require the user to open any documents, click a specific link, or answer any phone calls. iOS Exploit Chain As soon as the attacker redirected the target to their exploit server, the exploit chain began to execute. For iOS, this chain included three vulnerabilities: * CVE-2023-41993: Initial remote code execution (RCE) in Safari * CVE-2023-41991: PAC bypass * CVE-2023-41992: Local privilege escalation (LPE) in the XNU Kernel The chain then ran a small binary to decide whether or not to install the full Predator implant. However, TAG was unable to capture the full Predator implant. We plan to publish a technical deep dive on these exploits in line with the Google vulnerability disclosure policy. Android Exploit Chain The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762. This bug had already been separately reported to the Chrome Vulnerability Rewards Program by a security researcher and was patched on September 5th. We assess that Intellexa was also previously using this vulnerability as a 0-day. Chrome's work to protect against MITM For years, Chrome has worked toward universal HTTPS adoption across the web. Additionally Chrome has an "HTTPS-First Mode" that can reduce the likelihood of exploits being delivered via MITM network injection. "HTTPS-First Mode" will attempt to load all pages over HTTPS, and show a large warning before falling back to sending an HTTP request. This setting is currently on by default for users enrolled in the Advanced Protection Program who are also signed into Chrome. We encourage all users to enable "HTTPS-First Mode" to better protect themselves from MITM attacks. Conclusion This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users. TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward. We would like to acknowledge and thank The Citizen Lab for their collaboration and partnership in the capturing and analysis of these exploits, and Apple for deploying a timely patch for the safety of online users. POSTED IN: * Threat Analysis Group Related stories * Threat Analysis Group TAG Bulletin: Q3 2023 This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2023. It was last updated on September 8, 2023. By Shane Huntley Sep 08, 2023 * Threat Analysis Group Active North Korean campaign targeting security researchers Threat Analysis Group shares findings on a new campaign by North Korean actors targeting security researchers. By Clement Lecigne Maddie Stone Sep 07, 2023 * Threat Analysis Group TAG Bulletin: Q2 2023 Threat Analysis Group shares their Q2 2023 bulletin. By Shane Huntley Jul 31, 2023 * Threat Analysis Group The ups and downs of 0-days The goal of this report is to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes. By Maddie Stone Jul 27, 2023 * Threat Analysis Group TAG Bulletin: Q1 2023 Threat Analysis Group shares their Q1 2023 bulletin. By Shane Huntley May 01, 2023 * Threat Analysis Group Ukraine remains Russia's biggest cyber focus in 2023 Google's Threat Analysis Group shares first quarter cyber updates on the threat landscape from the war in Ukraine. By Billy Leonard Apr 19, 2023 * . ( ) ( ) ( ) ( ) ( ) ( ) * Privacy * Terms * About Google * Google Products * Help * [English ]